question

ft-2758 avatar image
0 Votes"
ft-2758 asked Shhtea01 answered

AD LDS: Constraint Violation error when trying to change owner information of the security descriptor of some object in the directory

Hello everyone,
Maybe someone can help me understand. I create new AD LDS instance using adaminstall wizard and specify group D1 as a group that have administrative privileges for the instance.
After that I connect to my new instance using ldp.exe and bind as user userd1 that is a member of D1 group. Here I need to say that userd1 has no special rights on the local machine where I created AD LDS instance, it's just an ordinary domain user.

Now I try to update owner information (e.g. right click on CN=Configuration -> Advanced -> Security Descriptor -> just mark Update: Owner check box and click Update) of any object in the directory and get the following error in return:

ldap_modify_ext_s(ld, 'CN=Configuration,CN={C47F44A6-81EA-40EC-A228-E08714402D1C}', attrs, SvrCtrls, ClntCtrls);
Error: Modify: Constraint Violation. <19>
Server error: 0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
Error 0x51B This security ID may not be assigned as the owner of this object.

After some trial and error, I found out that if I give userd1 SeRestorePrivilege privilege (or just add the user to Local Administrators group) on the local machine then I can successfully update owner information of any object in the directory.

Therefore, my questions are:
1) Why does userd1 have to have any additional rights on the local machine in order to change owner information of objects in the AD LDS directory. Why is it not enough to be a member of administrators group of that AD LDS instance? Administrators have full control of objects in directory including WRITE_OWNER right.

2) Is there a way to be able to update owner information and not adding user to Local Admins group or giving him "Restore files or directories" privilege on the local machine?




windows-active-directory
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,


Are you trying to use Group Policy to set up its Folder Redirection component?


Group Policy has an option to set up the Folder Redirection component as Basic, Advanced, or None. On the Target tab, if you click the Basic setting, and then under Settings, you click to select the Grant the user exclusive rights to the folder name check box, the Folder Redirection component is unsuccessful and event messages can be displayed.


To resolve this problem:


  1.  Load the appropriate Group Policy from the domain.


  2.  Click User Configuration, click Windows Setting, and then click Folder Redirection.


  3.  Right-click the appropriate Folder Redirection component, and then click Properties.


  4.  Click the Basic setting in the Target tab, and then under Settings, click to clear the Grant the user exclusive rights to the folder name check box.


  5.  Save the settings, and then quit.


For more information, please refer to http://support.microsoft.com/kb/291087


If this does not address the problem, please check if there is any relevant error in event log.


Regards,
Vicky

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ft-2758 avatar image
0 Votes"
ft-2758 answered

Hi @VickyWang-MFST!
Thank you for the answer but unfortunately it does not address my problem. I was not talking about folder redirection; I was talking about AD LDS (Active Directory Lightweight Directory Services).

I'll add some screenshots to better explain what I am trying to do.

Firstly, I use Adaminstall Wizard (which is found here Windows\ADAM\adaminstall.exe) to create new AD LDS instance and set group D1 to administer this AD LDS instance:

44036-image.png


Then I connect to my newly created AD LDS instance using ldp.exe and bind as userd1, which belongs to D1 group and thus have administrative rights for objects in this Directory

44101-image.png


Now I try to update owner information of security descriptor of an object in the Directory. For example, let's take the root CN=Configuration,CN=... object
44055-image.png

If I click Update now I will get this error

43958-image.png


But if I give userd1 "Restore files or directories" privilege on the local machine
44009-image.png


Then everything work fine, no errors popping up.

So, the two questions that I have are:
1) Why is it not enough to be administrator of AD LDS to be able to change owner information? I can see that administrators have full control over the objects in the Directory but still this mysterious "Constraint Violation" appears.

44132-image.png

2) I would like to avoid giving "Restore files or directories" privilege to userd1 on the machine running AD LDS instance but be able to change owner information of objects in the directory using this user. Is there a way?





image.png (28.9 KiB)
image.png (77.1 KiB)
image.png (66.7 KiB)
image.png (7.4 KiB)
image.png (100.8 KiB)
image.png (40.1 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
1 Vote"
VickyWang-MFST answered ft-2758 commented

Hi,
Thanks for the update, I may need some time to research it. Update here as soon as progress is made
Thank you for your understanding and support
Best wishes
Vicky

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ft-2758 avatar image ft-2758 ·

@VickyWang-MFST,
Thanks a lot for trying to help me! Looking forward to hearing from you.

0 Votes 0 ·
Shhtea01 avatar image
0 Votes"
Shhtea01 answered

well, that went well.....
....

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.